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DETAILED ACTION 

1 . Claims 1-3, 5-7, and 9-22 have been examined. 

Claim Objections 

2. Claim 22 is objected to because of the following informalities: claim discloses a 
computer readable medium while it depends on a claim that discloses a method. Appropriate 
correction is required. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 1-4, and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Clifton U.S. Pat. No. 5469556 (hereinafter Clifton) in view of Bacha et al. U.S. Pat. No. 6839843 
(hereinafter Bacha) and further in view of Negishi et al. U.S. Pat. No. 6571278 (hereinafter 
Negishi). 

As per claim 1, Clifton discloses a computer-readable medium having 
computer-executable instructions for protecting domain data against unauthorized modification 
(Clifton: column 2 line 28 - column 4 line 34: provide resource access security system), 
comprising: receiving a request to modify an object (Clifton: column 3 line 67 - column 4 line 8: 
user information related to the requested resources), the object including a security descriptor 
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identifying an owner domain in the plurality of domains (Clifton: column 3 lines 8-52: using the 
resource descriptor. . . and identify the domain); determining whether the user is within the owner 
domain by retrieving from the security descriptor the identity of the owner domain and 
comparing the owner domain identity to the domain within which the first computing machine 
resides (Clifton: column 3 line 54 - column 4 line 8: the requester's information and the domain 
table; column 3 line 18 - column 4 line 26: use the domain information to determine access); and 
if the user is not within the owner domain, rejecting the request to modify the object (Clifton: 
column 4 lines 18-25: access is only permitted to the resource identified by the user/job, domain, 
and page information). Clifton does not explicitly disclose the first computing machine resides in 
a domain and the security descriptor identifying an owner domain having an identification of one 
or more users. However, Bacha discloses storing an electronic data into a database in a 
distributed network and allow users that are included in access control list associated with the 
electronic data to access and modify the data and have access ownership privileges (Bacha: 
column 3 lines 2-15). It would have been obvious to one having ordinary skill in the art to store 
the access control list with the electronic data in the form of security descriptor and replace the 
user disclosed by Clifton with requesting computers disclosed by Bacha to achieve data 
protection in distributed network. Therefore, it would have been obvious to one having ordinary 
skill in the art at the time of applicant's invention to combine the teachings of Bacha within the 
system of Clifton because it controls access to data by retrieving security specifications 
associated with the data. Clifton as modified does not explicitly disclose the receiving at a first 
computing machine a request to modify an object associated with a shared data structure and 
plurality of computers involved in the network. However, Negishi discloses that limitation 
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(Negishi: column 2 lines 26-42: receiving modification request). The user disclosed by Clifton 
can be represented by computers disclosed by Negishi to apply to the data sharing security 
system. It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Negishi within the system of Clifton because it increases network security by first 
identifying the security of the requester. 

As per claim 2, Clifton as modified discloses the computer-readable medium of claim 1. 
Clifton further discloses if the first computing machine is within the owner domain, allowing the 
request to modify the object (Clifton: column 4 lines 18-25: access is only permitted to the 
resource identified by the user, domain, and page information). 

As per claim 3, Clifton as modified discloses the computer-readable medium of claim 1. 
Clifton as modified further discloses the shared data structure includes at least one data store that 
is replicated among each of the plurality of domains, and wherein the object is contained within 
the replicated data store. However, Negishi discloses that limitation (Negishi: column 2 lines 25- 
42: the replica of the shared data; column 4 lines 27-39: the number of computers is not limited 
to two). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Negishi within the combination of Clifton-Negishi-Sampson because it prevents 
modification conflict to take place on the actual data by resolving the conflict detected in the 
replicated shared file storage. 

As per claim 21, Clifton as modified discloses the computer-readable medium of claim 1. 
Clifton as modified further disclose the security descriptor includes permissions associated with 
the one or more users (Clifton: column 3 lines 8-52: using the resource descriptor... and identify 
the domain). 
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5. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton in view of 
Bacha and further in view of Negishi and further in view of Dockter et al. U.S. Pat. No. 6295605 
(hereinafter Dockter). 

As per claim 5, Clifton as modified discloses the computer-readable medium of claim 1. 
Clifton-Negishi-Sampson does not explicitly discloses the security descriptor further comprises a 
field that indicates whether a special security evaluation should be performed on requests to 
modify the object, and wherein the computer executable instructions further comprise, if the field 
indicates that the special security evaluation should be performed, causing the special security 
evaluation to be performed. However, Dockter discloses that limitation (Dockter: column 3 lines 
30-38: system resource/object are assigned classification level; column 4 line 43 - column 5 line 
23: further security evaluation is required if the preceding evaluation cannot determine the 
access). It would have been obvious to one having ordinary skill in the art to include information 
in the security descriptor to indicate further security evaluation is required when previous 
security evaluation cannot determine access to resource. Therefore, it would have been obvious 
to one having ordinary skill in the art to combine the teachings of Dockter within the 
combination of Clifton-Bacha-Negishi because it increases the efficiency in evaluating access 
security. 

6. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton in view of 
Bacha and further in view of Negishi and further in view of Dockter and further in view of 
Goertzel et al. U.S. Pat. No. 6308273 (hereinafter Goertzel). 
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As per claim 6, Clifton as modified discloses the computer-readable medium of claim 5. 
Clifton as modified does not explicitly disclose the special security evaluation comprises causing 
requesting that a second computing machine within the owner domain evaluate whether an entity 
issuing the request to modify the object is authorized to modify the object. However, Goertzel 
discloses that limitation (Goertzel: column 5 lines 31-67: check the location and domain of the 
requesting computer). It would have been obvious to one having ordinary skill in the art to 
combine the teachings of Goertzel within the combination of Clifton-Bacha-Negishi-Dockter 
because it increases network resource security by limiting access to uncertain domains. 

7. Claims 7-12 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Clifton in view of Goertzel and further in view of Negishi and further in view of Dockter and 
further in view of Bacha. 

As per claim 7, Clifton discloses a computer-implemented method for protecting domain 
data against unauthorized modification (Clifton: column 2 line 28 - column 4 line 34: provide 
resource access security system), comprising: receiving a request from an user in a first domain 
to modify an object, the request identifies at least one group of which the requester is a member 
(Clifton: column 3 line 54 - column 4 line 8: the requester's information and the domain table), 
the object having an associated security descriptor identifying an owner domain for the object 
(Clifton: column 3 lines 8-52: using the resource descriptor. . .and identify the domain). Clifton 
does not explicitly disclose security token identifying at least one group of which the requester is 
a member. However, Goertzel discloses that limitation (Goertzel: column 9 lines 5-43: the access 
token has security identifier based on user's credentials and group ID). It would have been 
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obvious to one having ordinary skill in the art to combine the teachings of Goertzel within the 
system of Clifton because it allows first level security evaluation to be performed based on the 
user's credentials. The combination of Clifton-Goertzel does not explicitly disclose the receiving 
at a first computing machine a request to modify an object associated with a shared data structure 
and plurality of computers involved in the network. However, Negishi discloses that limitation 
(Negishi: column 2 lines 26-42: receiving modification request). It would have been obvious to 
one having ordinary skill in the art to replace user/job disclosed by Clifton by computers 
disclosed by Negishi to apply to the data sharing/network security system. Therefore, it would 
have been obvious to one having ordinary skill in the art to combine the teachings of Negishi 
within the combination of Clifton-Goertzel because it increases network security by first 
identifying the security of the requester. The combination of Clifton-Goertzel-Negishi does not 
explicitly disclose the object having a flag to identify whether a special security evaluation is to 
be performed on requests to modify the object; determining from the flag whether the special 
security evaluation is to be performed on the request to modify the object; if the flag indicates in 
the affirmative, then performing the special security evaluation on the request to modify the 
object by passing the security token associated with the request and the security descriptor 
associated with the object to the owner domain for evaluation; and if the special security 
evaluation approves the request to modify the object then allowing the request to modify the 
object to proceed. However, Dockter discloses that limitation (Dockter: column 3 lines 30-38: 
system resource/object are assigned classification level; column 2 lines 31-50: acquire 
qualification data regarding to the access request; column 4 line 43 - column 5 line 23: further 
security evaluation is required if the preceding evaluation cannot determine the access). It would 
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have been obvious to one having ordinary skill in the art to include information in the security 
descriptor to indicate further security evaluation is required when previous security evaluation 
cannot determine access to resource. Therefore, it would have been obvious to one having 
ordinary skill in the art to combine the teachings of Dockter within the combination of Clifton- 
Goertzel-Negishi because it increases the efficiency in evaluating access security. Clifton as 
modified does not explicitly disclose the object having an associated security descriptor and 
having an identification of one or more users. However, Bacha discloses that limitation (Bacha: 
column 3 lines 3-17). Same rationale applies here as above in claim 1. 

As per claim 9, Clifton as modified discloses the method according to claim 7. Dockter 
further discloses if the flag indicates in the negative, then performing a security evaluation on the 
request to modify the object (Dockter: column 4 line 45 - column 5 line 23: continue evaluation 
if the previous evaluation result is undetermined). It would have been obvious to one having 
ordinary skill in the art to combine the teachings of Dockter within the combination of Clifton- 
Goertzel-Negishi-Dockter-Bacha because it allows the system to avoid further evaluation if the 
requester cannot pass basic evaluations. 

As per claim 10, Clifton as modified discloses the method according to claim 9. Goertzel 
further discloses the security evaluation comprises comparing the security token with the security 
descriptor to determine whether the requester is a member of any groups that have been granted 
permission to access the object (Goertzel: column 9 lines 5-43). It is obvious to one having 
ordinary skill in the art to adopt different types of security evaluation based on different user 
information. Therefore, it would have been obvious to one having ordinary skill in the art to 
combine the teachings of Goertzel within the combination of Clifton-Goertzel-Negishi-Dockter- 
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Bacha because it is well known in the art to execute access control based on user 
information/credentials as well as user's security level. 

As per claim 11, Clifton as modified discloses the method according to claim 10. Negishi 
further discloses the security evaluation further comprises determining whether the request to 
modify the object is a modification for which the requester is privileged on the first machine 
regardless of whether the requester is a member of any groups that have been granted permission 
to access the object (Negishi: column 3 lines 1-45: the security evaluation is based on the 
classification level of the users). It would have been obvious to one having ordinary skill in the 
art to combine the teachings of Negishi within the combination of Clifton-Goertzel-Negishi- 
Dockter-Bacha because it is well known in the art to execute access control based on user 
information/credentials as well as user's security level. 

As per claim 12, Clifton as modified discloses the method according to claim 11. 
Goertzel further discloses the security evaluation further comprises if the requester is privileged 
to perform the request to modify the object, and the requested modification is a fundamental 
modification of the object, then denying the request if the first domain is not the owner domain 
for the object (Goertzel: column 1 line 55 - column 2 line 10; column 5 lines 1 1-67: the normal 
access token is restricted if the user is not within the domain or location authorized by the 
system). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Goertzel within the combination of Clifton-Goertzel-Negishi-Dockter-Bacha 
because it prevents unauthorized parties to access network resources through unauthorized links. 
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As per claim 22, Clifton as modified discloses the method of claim 1. Clifton as modified 
further disclose the security descriptor includes permissions associated with the one or more 
users (Clifton: column 3 lines 8-52: using the resource descriptor... and identify the domain). 

8. Claims 13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton and further in view of Bacha. 

As per claim 13, Sampson discloses a computer-readable medium having 
computer-executable components to protect domain data against unauthorized modification 
(Sampson: column 3 lines 20-43: access control system); comprising: a shared data structure that 
spans a plurality of domains (Sampson: column 4 lines 13-21: multiple domains), at least two 
domains in the plurality of domains having a transitive trust relationship wherein a user 
authentication within one of the two domains is honored in the other of the two domains 
(Sampson: column 3 lines 20-33). Sampson does not explicitly disclose the shared data structure 
having at least one data store that is replicated among each of the plurality of domains. However, 
Negishi discloses that limitation (Negishi: column 2 lines 29-31 : replica of shared data; column 4 
lines 27-39: the number of computer is not limited to two and same components are provided to 
both computers so that means each computer has a replica or shared data). It would have been 
obvious to one having ordinary skill in the art to combine the teachings of Negishi within the 
system of Sampson because it prevents modification conflict to take place on the actual data by 
resolving the conflict detected in the replicated shared file storage. The combination of Sampson- 
Negishi does not explicitly disclose an object stored within the data store, the object having a 
plurality of attributes, at least one of the attributes being related to security access rights 



Application/Control Number: 09/663,8 1 1 Page 1 1 

Art Unit: 2131 

associated with the object, the security access rights including an owner domain identifier 
identifying one of the domains within the plurality of domains. However, Clifton discloses those 
limitations (Clifton: column 3 lines 8-52). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Clifton within the combination of Sampson-Negishi 
because it increases security by prohibiting users from accessing data based on their domain 
information. Negishi further discloses a security system configured to receive a request to 
modify the object (Negishi: column 2 lines 29-31: a receiver for receiving modification request). 
It would have been obvious to one having ordinary skill in the art to combine the teachings of 
Negishi within the combination of Sampson-Negishi-Clifton because it is obvious to receive an 
access request before the system can execute access control. Clifton further discloses to retrieve 
from the object the owner domain identifier, to compare the owner domain identifier with an 
identifier of a domain from which the request originated, and to reject the request to modify the 
object if the owner domain identifier does not match the identifier of the domain from which the 
request originated (Clifton: column 3 line 53 - column 4 line 26). Same rationale applies here as 
above. Sampson as modified does not explicitly disclose the object having an associated security 
descriptor and having an identification of one or more users. However, Bacha discloses that 
limitation (Bacha: column 3 lines 3-17). Same rationale applies here as above in claim 1. 

As per claim 20, Sampson as modified discloses the computer readable medium 
according to claim 13. Clifton further discloses the at least one attribute comprises a security 
descriptor, and the owner domain identifier is part of an owner security identifier (Clifton: 
column 3 lines 8-53). It would have been obvious to one having ordinary skill in the art to 
combine the teachings of Clifton within the combination of Sampson-Negishi-Clifton-Bacha 
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because it increases security by prohibiting users from accessing data based on their domain 
information. 

9. Claims 14 and 15 are rejected under 35 U.S.C 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton and further in view of Bacha and 
further in view of Jiang et al. U.S. Pat. No. 6453354 (hereinafter Jiang) and further in view of 
Gupta et al. U.S. Pat. No. 6226752 (hereinafter Gupta). 

As per claim 14, Sampson as modified discloses the computer readable medium 
according to claim 13. Sampson as modified does not explicitly disclose the security access 
rights associated with the object further comprise an indicator that an attempt to access the object 
is to be evaluated within the domain identified by the owner domain; and the security system is 
further configured to, prior to performing a security evaluation on a received request to modify 
the object, determine from the indicator whether the request to modify the object should be 
evaluated within the domain identified by the owner domain, and if so, to return a notification to 
the requestor that the security evaluation is to be evaluated within the domain identified by the 
owner domain. However, Jiang discloses access request to file system is forwarded to owner of 
the file if the request is not received by the owner of the file system (Jiang: column 13 lines 4- 
61). It would have been obvious to one having ordinary skill in the art to combine the teachings 
of Jiang within the combination of Sampson-Negishi-Clifton-Bacha because it prevents a system 
from processing a request that it's not capable of processing. Jiang also discloses the first system 
forwards the request to another file system if it's not the owner of the requesting file. Jiang does 
not explicitly disclose redirecting the requestor to another system. However, Gupta discloses that 
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limitation (Gupta: column 14 line 65 - column 15 line 35: redirect the client requestor to the 
second server). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Gupta within the combination of Sampson-Negishi-Clifton-Bacha- Jiang because it 
allows direct communication between two parties. 

As per claim 15, Sampson as modified discloses the computer-readable medium 
according to claim 14. Sampson as modified further discloses the notification to the requester 
comprises a referral message including an identification of the owner domain (Gupta: column 12 
lines 13-24: redirect message). It would have been obvious to one having ordinary skill in the art 
to combine the teachings of Gupta within the combination of Sampson-Negishi-Clifton-Bacha- 
Jiang-Gupta because it helps the requestor to connect to the second server without much 
interaction. 

10. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Bacha and further in view of 
Goertzel. 

As per claim 16, Sampson as modified discloses the computer readable medium 
according to claim 13. Sampson as modified does not explicitly disclose the security system if 
further configured to determine whether the request to modify the object originated within a 
particular domain of the plurality of domains, and if so, then to perform a standard security 
evaluation of the request to modify the object without resort to the owner domain. However, 
Goertzel discloses that limitation Goertzel: column 1 line 55 - column 2 line 10; column 5 lines 
1 1-67: the normal access token is restricted if the user is not within the domain or location 
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authorized by the system). It would have been obvious to one having ordinary skill in the art to 
combine the teachings of Goertzel within the combination of Sampson-Negishi-Clifton-Bacha 
because it prevents unauthorized parties to access network resources through unauthorized links 
and it enhances security measures if the request is not originated from authorized domains or 
locations. 

11. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Bacha and further in view of 
Goertzel and further in view of Bellovin et al. U.S. Pat. No. 5805820 (hereinafter Bellovin). 

As per claim 17, Sampson as modified discloses the computer readable medium 
according to claim 16. Sampson as modified does not explicitly disclose the particular domain is 
a root domain of the shared data structure. However, Bellovin discloses that limitation (Bellovin: 
column 3 lines 16-59 and figures 1 and 3: the root domain has the highest level of authority for 
domain names). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Bellovin within the combination of Sampson-Negishi-Clifton-Bacha-Goertzel 
because since root domain has the highest level of authority, it has the authority to process all of 
the access requests. 

12. Claim 18 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Bacha and further in view of 
Antur et al. U.S. Pat. No. 6243815 (hereinafter Antur). 
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As per claim 18, the combination of Sampson-Negishi-Clifton discloses the computer 
readable medium according to claim 13. Sampson-Negishi-Clifton does not explicitly disclose 
the shared data structure comprises a directory service and wherein the at least one data store 
comprises configuration data associated with the directory service. However, Antur discloses 
that limitation (Antur: column 2 lines 35-49: storing configuration data by network directory 
service server). It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Antur within the combination of Sampson-Negishi-Clifton-Bacha because it 
improves firewall configuration by updating and reconfiguring network firewall at a single 
administration point. 

13. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson in view 
of Negishi and further in view of Clifton and further in view of Bacha and further in view of 
Lumelsky et al. U.S. Pat. No. 6466980 (hereinafter Lumelsky). 

As per claim 19, Sampson as modified discloses the computer readable medium 
according to claim 13. Sampson as modified does not explicitly disclose the shared data structure 
comprises a directory service and wherein the at least one data store comprises schema data 
associated with the directory service. However, Lumelsky discloses that limitation (Lumelsky: 
column 9 line 22 - column 10 line 3: replica directory maintained by directory 
service. . .including schema and data). It would have been obvious to one having ordinary skill in 
the art to combine the teachings of Lumelsky within the combination of Sampson-Negishi- 
Clifton because provides adaptive resource management function for distributed resources that 
could shape system capacity to the needs of the environment. 
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Response to Arguments 



13. Applicant's arguments filed on 7/13/05 have been fully considered but they are not 
persuasive. 

Regarding applicant's remarks, applicant argues that a user domain and owner domain is 
different. Examiner has cited a new prior art to discloses access to an electronic data is controlled 
by an access control list associated with the data, and the access control list includes users 
identifications. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shin-Hon Chen whose telephone number is (571) 272-3789. The 
examiner can normally be reached on Monday through Friday 8:30am to 5:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Conclusion 



Shin-Hon Chen 
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